David Schwartz wrote:
>>Dr. Stephen Henson wrote:
>
>>A determined and knowledgable attacker can subvert anything that's
>>not in hardware.
>
> I think this is a very strange thing to say. If he has access to the
> hardware, he can subvert it too. If he doesn't have access to the hardware,
> how can he subvert the software?
Software is exploited or subverted all of the time without access
to the physical hardware. You don't even need a shell account on
the system if there's a remote exploit.
Most, but not all, hardware can be compromised if you have
physical access. Hardened equipment is not cheap.
>>Pulling a cert from a server isn't that much
>>harder to break given that it's trivial to set up a local DNS
>>server that will redirect queries to the attacker's own server.
>
> So sign the cert. No hardware needed.
How do you verify it's ultimately signed by the right certificate?
You need to get the root certificate from somewhere.
>>(Or to simply use the same editor to replace your URL with their
>>own.)
>
> Sure, if you have access to the software. If you have access to any
> security scheme, you can simply disable the scheme.
The original context was Dr. Henson's well-grounded observation
that anyone with a hex editor could easily change an embedded
certificate. Once you have access to the software then anything
in it, or its environment, can be changed at will.
> If you have that level of control over the process, you can make the
> process do anything you want, but you could just do what you wanted anyway
> with that level of control over the system. So what do you need the process
> for?
>
> If someone wants to alter the certificate that secures their own
> machine,
> why should I care? You can certainly break things that you are allowed
> access to.
Reread what you just wrote - what if the certificate is used to
verify credentials provided by others to gain access? (BTW don't
assume it's only protecting a machine. Maybe this is part of an
application that controls access to extremely expensive or
sensitive material.) Give me the ability to reset the root
certificate and I have an unlimited pass throughout your system.
Potentially worse I can deny access to your legitimate users.
Another example of a certificate as a credential - license keys.
Maybe we're talking about software that normally sells for $10k,
but also has a $100 student version with limited functionality.
Same software, but I think most of us can see how the company will
make a distinction between the guy who paid nothing, the student
who got an educational version, and the company that bought a full
license.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
